How to bypass SSL decryption for an application

SSL decryption is a very strong tool in the hands of an administrator to protect the network and defend against malware, but some web-based applications have such a setup that decryption is not possible, or breaks the application (client certificates, exceptionally strong encryption, pinholing,...) and you need to set up a no decryption policy.

To exclude a URL category from decryption is easy enough, but what about a single application? At the time of writing, there is an outstanding Feature Request to be able to set applications to non-decrypt, so if you're looking for this particular feature, go ahead and reach out to your sales contact to add your vote to FR ID: 2946.

If you are good with a creative workaround leveraging the new log forwarding capabilities introduced in PAN-OS 8.0, community member @Ozamir was kind enough to share a workaround he put together to tackle an issue with a VPN appliance.